Energy Audition based Cyber-Physical Attack Detection Systemin IoT

Yang ShiCenter for Cyber-Physical Systems,

University of GeorgiaAthens, Georgia

yang.atrue@uga.edu

Fangyu LiCenter for Cyber-Physical Systems,

University of GeorgiaAthens, Georgia

fangyu.li@uga.edu

WenZhan SongCenter for Cyber-Physical Systems,

University of GeorgiaAthens, Georgiawsong@uga.edu

Xiang-Yang LiUniversity of Science and Technology

of ChinaHefei, China

xiangyangli@ustc.edu.cn

Jin YeCenter for Cyber-Physical Systems,

University of GeorgiaAthens, Georgiajin.ye@uga.edu

ABSTRACTIn this paper, we propose an attack detection framework in the In-ternet of Things (IoT) devices. The framework applies a data-centricmethod to process the energy consumption data and classify theattack status of the monitored device. We implement the frameworkin real hardware, and emulate common types of attacks to evaluatethe performance of the attack detection framework. Due to thecharacteristic of the energy data, not only cyber attacks but alsophysical attacks such as heating are also emulated and tested. Toshorten the detection time, a two-stage strategy is also proposedto first apply a short time window for a rough detection, then along time window to the fine detection of anomalies. The accuracyof short-term detection is 90%, while in the long-term detectionsthe accuracy reaches 99.5%. Due to the nature of information fromenergy consumption data, the framework is more secure in casesthe kernel of the device is already compromised.

CCS CONCEPTS• Security and privacy → Intrusion/anomaly detection andmalwaremitigation; •Networks→Network security; Sensornetworks; • Computing methodologies→ Machine learning.

KEYWORDSCyber-physical attack detection,Internet of Things, Energy con-sumption, Machine learningACM Reference Format:Yang Shi, Fangyu Li, WenZhan Song, Xiang-Yang Li, and Jin Ye. 2019. EnergyAudition based Cyber-Physical Attack Detection System in IoT. In ACMTuring Celebration Conference - China (ACM TURC 2019) (ACM TURC 2019),May 17–19, 2019, Chengdu, China. ACM, New York, NY, USA, 5 pages. https://doi.org/10.1145/3321408.3321588

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than ACMmust be honored. Abstracting with credit is permitted. To copy otherwise, or republish,to post on servers or to redistribute to lists, requires prior specific permission and/or afee. Request permissions from permissions@acm.org.ACM TURC 2019, May 17–19, 2019, Chengdu, China© 2019 Association for Computing Machinery.ACM ISBN 978-1-4503-7158-2/19/05. . . $15.00https://doi.org/10.1145/3321408.3321588

1 INTRODUCTIONComputer systems use energy, and energy provides informationabout the system [29]. This information can be utilized in for secu-rity purposes. As the computer systems are more connected thanbefore, the chance of a device getting affected by attacks are highertoday. When human beings involve in the computational tasks alot for computers and laptops, it is easier for the operators to findthe attacks as their operations are affected by the attacks directly.However, for Internet of Things (IoT) systems, attacks are usuallyhard to be detected as the impacts can be delayed [25]. The securityissues in IoT has become more important in recent days as IoT ismore attainable to our daily life recently.

There are a lot of attack detection technologies are specificallydeveloped for IoT systems to address the IoT security issue [14, 21,25, 28]. Among the works solving the issues of IoT security, the de-tection methodologies are categorized as software-based methodsand data-driven methods [13, 24]. While the software-based meth-ods like blacklisting [32], firewalls [15] are not versatile enoughfor the changes in attacks, the data-driven methods are capable toadjust to changing attacks. The data-driven detection results aregenerated from the observations of the system usages and statistics,and thus is more secure [34]. However, since the system usage andstatistics data are reported from the kernel, once the computer iscompromised, the data integrity cannot be guaranteed. Moreover,the traditional data-driven methods are usually designed for de-tections of cyber attacks, but they rarely cover physical attacks.Some more recent works focus on using energy to detect anomalies[6, 11, 18, 19], but none of them dedicated to classify the categoryof attacks.

Energy consumption information from devices are good resourcesfor monitoring the system security. This information is monitoredoutside from the operating system kernel, and thus cannot be com-promised by hackers in the kernel of the monitored devices. Giventhe monitoring device is not participating on the computation andinformation sharing tasks of IoT, we use local networks for the mon-itoring devices to secure the energy consumption data integrity.Thus, we propose using energy consumption data as a more securedata driven solution for IoT attack detection. Moreover, previousworks mainly focus on the cyber attacks, while for the physicalattacks, our framework is a better fit naturally because of the data

ACM TURC 2019, May 17–19, 2019, Chengdu, China Y. Shi et al.

source. For example, in the attacks of Virus, the energy consump-tion is mainly from the computation of CPU, while in the physi-cal attack of Heating, the actual usage of each component is notchanged, but as the temperature increases, less heat cannot be ra-diated out from the devices, and thus the total energy usage isincreased. In most existing methods, the data source is the systemstatistics or usages, which is the internal information of the sys-tem [24]. Energy consumption data is more capable as a physicaldata source for the physical attacks.

A data-centric framework for detecting attacks in IoT devicesis proposed in this paper. In the framework, we attach a low-costenergy meter to monitor and collect the energy consumption data.The collected data is sent to a centralized server. Six major cyber orphysical attacks including Virus, Intrusion, Deny of Service(DoS), Heating, Trojan, Power Line Cut for IoT devices arethen emulated in the devices. The collected energy consumptiondata is labeled accordingly. We train and store statistical modelsbased on the labeled data on the server. Once new data is collectedfrom the devices, the models perform two-stage classifications.Within a short time, the short-term model detects whether thedevice is with anomalies, and within a longer time, the long-termmodel performs a finer classification of the attack type in the device.

The main contribution of this work is summarized as below:• A data-driven framework of energy data based fast attackdetection is designed, implemented and evaluated.

• The proposed framework is also able to detect not only cyberattacks and anomalies but also physical attacks.

• Six common cyber and physical attacks are emulated in IoTdevices, device energy consumption data are collected.

• A two-stage detection strategy is designed and a statisticalmodel is trained on the collected data, through which thesecurity status of IoT devices are detected. Both cyber andphysical types of attacks are classified with the model.

The rest of this paper is organized as follows. Section 2 describesthe proposed system design, the architecture, and attacks we de-signed. The data processing is also introduced in this section. Theanalysis of our proposed framework, and its comparison with exist-ing related schemes are presented in Section 3. Finally, we presentour concluding remarks and future research directions in Section 4.2 ANOMALY DETECTION SYSTEM DESIGNThe system of the framework is designed as shown in Figure 1. Inthis section, we first introduce the hardware design of the proposedIoT security system, then we introduce the data processing andclassification of the framework.

Figure 1: The proposed framework.

2.1 Hardware designIn the emulation of the energy monitoring and attack detections, weuse the Raspberry Pi 3 Model B [3] as the IoT devices. This modelis powered by USB cables and has GPIO pins for external inputsand outputs. The Raspberry Pis are installed with Raspbian [4] asthe operation system. Raspbian is a Linux based system specificallydesigned for Raspberry Pis. Inside the Raspbian kernel, we installa background program to emulate the normal behaviors of IoTdevices. The background programs by default periodically collectdata from sensors, and store the data locally, then send the data tothe processing server by batch. To achieve this, the Raspberry Pisare mounted with sensors for background program data collection.In our experiment, we also use the energy meters as the sensors.

We use INA 219 [1] as the energy meter in our experimentsettings. The INA 219 energy meter is a lightweight and low-costenergy consumption sensor. It can be easily attached on the side ofIoT devices. The USB cables are cut open and the positive powerconductors are series connected with the energy meters. Everydevice is monitored by one energy meter.

Figure 2: Hardware design of the proposed framework.Shown in Figure 2 is our hardware of the framework. The IoT

device B in the figure is the device to be monitored, and the device Ais the monitoring device. As introduced, the INA 219 energy meteris shown in the area in the red frame, covered by the electricaltape. In the cover of the tape of B, as the USB offers energy fordevice B, the energy consumption is collected by the energy meterand sent to the device A through the GPIO pins. The power of theenergy meter is also supplied by device A from the GPIO pins. Theenergy consumption data sampled at 1 Hz in device A is sent to acentralized InfluxDB [2] server, then processed for attack detection.2.2 Data flow and visualization

Figure 3: The data flow in the processing server.In the processing server, the data is processed as shown in Figure3. The data is first preprocessed and features are extracted formachine learning. We match the anomaly or normal situation of thecollected data, and label the data in categories of Normal, Virus,Intrusion, DoS, Heating, Trojan, Power Line Cut. Thelabeled data is then trained with machine learning models, and themodels are stored locally on the server. Once new data is collectedfrom the devices and sent to the server, same preprocessing and

Energy Audition based Cyber-Physical Attack Detection System in IoT ACM TURC 2019, May 17–19, 2019, Chengdu, China

feature extraction operations are applied and classifications are thenperformed by the trained model. The results of the classificationsare stored in InfluxDB for visualization.

Figure 4: The visualization of proposed framework.

After the data is collected to the server, visualization is availablein Grafana [12]. The visualization is shown in Figure 4, where wehave four IoT devices monitored, and energy consumption data areplotted in separate panels. The detection results are in the first twopanels of every row. The first panel of each row is the short termdetection result, and detects whether the monitored device is underabnormal situation. The second panel of each row is the long termdetection results, and shows the fine-grained detection result of theattack category that the anomaly belongs to.

2.3 Attack DesignWe design the attack prototypes to perform the concept of attackswhile avoid making malignant impacts on the systems. Recently, dif-ferent attacks have been emulated in works from industrial IoT [27],smart home [10], smart phone [30] application scenarios. Accord-ing to these works, the length of attacks can be long or transient.We decided to focus on the long attacks because of the limitationof the sampling rate of the energy consumption data. The lengthof a single attack prototype is set as 2 minutes. In total, we have 6types of attacks, the cyber attacks are designed as below:

• Virus [23]: A program that continuously consume compu-tational resource is created. The program performs primefactorization continuously for 2 minutes, stores the resultslocally, and then sleep for another 2 minutes.

• Intrusion [7]: The attacking device continuously guess thepassword of the monitored device, and try to use ssh com-mand to log in the kernel.

• DoS [33]: Considering the similarity of DoS attack and portscanning, we use port scanning in the simulation of DoSattack. Another device continuously scan the port of themonitored device.

• Trojan [16]: One major characteristic and threat of trojansis that it will send critical informations to the controller ofthe trojans. We create a program that sends a trained deeplearning model to the server every 2 minutes to simulate theprocess of sending data through networks.

The physical attacks are designed as below:• Heating [9]: We place a 12 watt light bulb within 5 cm ofthe monitored device to heat the device.

• Power Line Cut [22]: The power line is directly pulled offin this attack type to simulate the situation that power linesare cut.

With the settings of emulated attacks, energy consumption dataare collected and used to classify anomalies in the IoT devices.

2.4 Preprocessing and feature extractionThe collected signal is noisy and unstable. To get more stable read-ings, in the preporcessing part, a Savitzky-Golay filter [26] is appliedto smooth the signals in a sliding time window. Since the normaland abnormal status are continuous and no transient attacks areemulated, we assume the short and intense value spikes in the col-lected data are noises. Median filters has been applied to eliminatethese noisy spikes.

After getting the denoised and smoothed data, statistical andspectral features are extracted. As investigated on the related works[8, 31], features listed below are applicable for anomaly detections:

• Mean,Standard deviation, Skewness, Kurtosis: Thefirst, second, third and forth moment of the windowed signal.

• Min, Max: The minimum and maximum value of the win-dowed signal.

• Interquartile range (IQR): The distance of the first andthird quartile of the windowed signal.

• cumulative sum (CUSUM): The cumulative sum of the win-dowed signal.

• Fast Fourier transform (FFT): The real part of the FFTon the windowed signal.

The extracted features are concatenated with the smoothed sig-nal for the classification model training and evaluation. Due to thehigh dimensionality of the data, we apply principle componentanalysis (PCA) on the concatenated data for a faster classification.In the PCA process, we select the eigenvectors with the 10 highesteigenvalues, which contains 99.56% information from the originalselected features, which are originally with a dimension of 548.

2.5 Two-stage detectionDue to the design of the system, the classification is based on thenewest data available, and thus the detection speed is dependenton the sliding window of the detections. Since the system requiresa fast detection, we separated our detection tasks into two stages,namely short-term and long-term classification.

For the short-term classification, we only use the smoothed signalwithout the features extracted in a short sliding time window, andfor the long-term classification, we use the concatenated data con-taining the extracted features. The classification process requires alonger sliding time window to perform a higher performance.2.6 Classification algorithmsIn the framework, models are leveraged in the anomaly classifi-cation. As indicated, features of different attacks are different ac-cording to the attack characteristics. To distinguish the differentdistributions of the features, we apply k-nearest neighbor (KNN)[20] algorithm and neural networks (NN) [17] with different param-eters, and also provide a performance comparison for evaluation.

In KNN algorithm, the neighbors within the k distance are as-signed with a weight of 1/k . The classification precess is described

ACM TURC 2019, May 17–19, 2019, Chengdu, China Y. Shi et al.

in the equation below:

y = arдminc ∈C

∑xi ∈N

wi | |x − xi | |2, (1)

where, the neighboring samples in the neighborhood N labeled asc are denoted as xi , and the corresponding weight is denoted aswi .In our situation,wi is assigned as 1/k . The input is classified as thelabel of samples that have a minimal weighted distance.

NN is a statistical model that use multi-layer perceptrons to buildthe classifier. In our comparison, we use Adam [5] as the optimizerand rectified linear unit (ReLU), denoted as R(·), as the activationfunctions. In each layer, the NN perform a linear transformationfrom the previous layer:

hi+1 = R(wihi + bi ), (2)

where the i-th layer’s input is hi ∈ Rmi×n , the weight and biason the layer are respectively denoted as wi ∈ Rmi+1×mi and bi ∈Rmi+1×n , giving the sample size is n. The classifier employs a Soft-max function to calculate the final possibilities of the label that theinput sample is classified as. The Softmax function is described as:

y = arдmaxc ∈C

hL(c)∑c ∈C hL(c)

, (3)

where the total layer of the model is L, and hL ∈ RC×n . The totalnumber of classes is denoted as C .3 EVALUATIONWe evaluate the framework in two parts. After introducing theexperiment settings, we first evaluate the classification accuracy,and then due to the fast requirement, we also evaluate on thedetection speed of the framework.3.1 Experiment settingsIn the experiments, we launch the proposed attacks in four Rasp-berry Pi 3 models, and collect the energy consumption data in theattacked devices. We also collect the energy consumption data fromthe devices under the normal status as comparisons. It should alsobe noticed that according to the attack prototype design, we do notconsider transient attacks in the evaluations.

In the classification period, the evaluation is based on 10-foldcross-validations to make sure the evaluation result is validated.We compare KNN and NN as the classification algorithms. The NNalgorithms in training phase has the maximum iteration as 200,learning rate as 0.001. For 1 layer classifications, the layer has 100feature nodes, and for 2 layer classifications, the features nodes are100, 20 respectively. In short-term classifications, the length of timewindow is 10 seconds, while for long-term classifications, the timewindow length is 180 seconds.

The dataset consists of recordings from 4 IoT devices. Differentreal attacks are performed and emulated, and each recording is of 2hours length. 3 recordings are collected from each device. In total,85666 samples from 12 recordings are collected, among which halfare the normal data, and another half are different attack data, fromdifferent categories of attacks.3.2 Anomaly detection performanceThe long-term anomaly detection performance is shown in Table 2,and the short-term anomaly detection performance are shown inTable 1. In the confusion matrices, every row is the ground truth,

and the every column is the classification results. The positive isdefined as the anomalies. The metrics that we use are accuracy,false positive rate (FPR), and sensitivity. The accuracy evaluates thegeneral performance of the classifiers, while FPR and sensitivityevaluate the false alarms and missing detections respectively.Table 1: Short-term anomaly detectionmodel performances

Model Accuracy FPR Sensitivity1-layer NN 61.7% 12.7% 36.9%2-layer NN 85.5% 8.7% 79.9%

2-nearest neighbor 85.3% 21.1% 91.5%7-nearest neighbor 90.0% 6.9% 87.1%12-nearest neighbor 89.9% 7.4% 87.2%

In the short-term classifications, the detection time is satisfying,which is only 5 seconds. For performance, the NN based modelscannot classify the anomalies correctly, especially in 1 layer model.The KNNmodel performs better than the NNmodel in this situation,and achieves around 90% accuracy in k = 7 and k = 12 models.The accuracy is not satisfying in short-term situation, we furtherevaluate on the long-term version for a comparison.Table 2: Long-term anomaly detectionmodel performances

Model Accuracy FPR Sensitivity1-layer NN 97.2% 0.3% 94.8%2-layer NN 97.8% 0.2% 95.8%

2-nearest neighbor 99.4% 0 98.8%7-nearest neighbor 99.4% 0 98.9%12-nearest neighbor 99.4% 0 98.8%

In the long-term classifications, the accuracies are satisfying. ForNN based classifiers, the accuracy is around 97% to 98%, while forthe KNN based algorithms, the accuracy is above 99%. The onlymisclassifications happen in the classification of Trojan and Virus,since both of them are periodical, and the periods of them are set assame in our experiment. and The classification accuracy is compara-ble with the software based anomaly detection in most state-of-artworks. This result also shows that our proposed framework pro-vides flexibility in the model that is chosen. However, the long-termclassification requires long time window, which means that theclassification is not stable until collecting the full time window ofdata. This is the reason we keep the short-term model available inthe framework for a faster detection.3.3 Anomaly detection speedSince the detection speed is also important factor in real-time frame-works, we also compare the detection speed of different classifi-cation algorithms. The averaged classification time of each of the80000 sample of the inputs are shown in Table 3. The experiment isperformed on a PC with Intel Core i5-2500 CPU 3.30GHz, and thememory size is 32 GB.

Table 3: Detection time of anomaly detection models

Model Short-term(s) Long-term(s)1-layer NN 1.78 × 10−6 1.49 × 10−62-layer NN 7.01 × 10−6 1.86 × 10−6

2-nearest neighbor 5.57 × 10−5 2.04 × 10−57-nearest neighbor 8.29 × 10−5 4.98 × 10−512-nearest neighbor 1.02 × 10−4 8.82 × 10−5

Energy Audition based Cyber-Physical Attack Detection System in IoT ACM TURC 2019, May 17–19, 2019, Chengdu, China

The detection time of a single anomaly classification dependson the time window length in our framework. The comparisonsshow that with a detection of less than 0.1 microseconds, the im-plementation of the framework satisfies with the requirement ofour attack detection system.

4 CONCLUSIONIn this paper, a framework for IoT cyber-physical attack detection isintroduced, implemented and evaluated. The energy consumptionbased method is a data centric method, and more secure than kerneldata based methods because of the nature of side channel analysis.The framework is not only able to detect some common types ofthe cyber attacks, but also physical attacks such as power line cutand heating. The system currently is able to detect the anomaliesin a time range of around 5 seconds. In order to provide a moreaccurate classification, we use the long-term classification to detectthe anomalies with an accuracy of more than 99% in 3 minutes.

ACKNOWLEDGEMENTOur research is partially supported by NSF-1663709 and SouthernCompany.

REFERENCES[1] [n. d.]. Adafruit INA219 Current Sensor Breakout. https://learn.adafruit.com/

adafruit-ina219-current-sensor-breakout/overview[2] [n. d.]. InfluxDB. https://www.influxdata.com/[3] [n. d.]. Raspberry Pi 3 Model B. https://www.raspberrypi.org/products/

raspberry-pi-3-model-b/[4] [n. d.]. Raspbian. https://www.raspberrypi.org/downloads/raspbian/[5] 2017. Adam: A Method for Stochastic Optimization. arXiv:1412.6980 http:

//arxiv.org/abs/1412.6980[6] Robert Bridges, Jarilyn Hernández Jiménez, Jeffrey Nichols, Katerina Goseva-

Popstojanova, and Stacy Prowell. 2018. Towards malware detection via cpupower consumption: Data collection design and analytics. In 2018 17th IEEE In-ternational Conference On Trust, Security And Privacy In Computing And Commu-nications/12th IEEE International Conference On Big Data Science And Engineering(TrustCom/BigDataSE). IEEE, 1680–1684.

[7] Ismail Butun, Salvatore D. Morgera, and Ravi Sankar. 2014. A Survey of IntrusionDetection Systems in Wireless Sensor Networks. IEEE Communications Surveys &Tutorials 16, 1 (FebJan 2014), 266–282. https://doi.org/10.1109/surv.2013.050113.00191

[8] Shane S. Clark, Benjamin Ransford, Amir Rahmati, Shane Guineau, Jacob Sor-ber, Kevin Fu, and Wenyuan Xu. 2013. WattsUpDoc: Power Side Channelsto Nonintrusively Discover Untargeted Malware on Embedded Medical De-vices. In 2013 USENIX Workshop on Health Information Technologies. Washing-ton, D.C. https://www.usenix.org/conference/healthtech13/workshop-program/presentation/Clark

[9] Luigi Coppolino, Valerio DAlessandro, Salvatore DAntonio, Leonid Levy, andLuigi Romano. 2015. My Smart Home is Under Attack. In 2015 IEEE 18th Inter-national Conference on Computational Science and Engineering. IEEE, 145–151.https://doi.org/10.1109/cse.2015.28

[10] Ali Dorri, Salil S. Kanhere, Raja Jurdak, and Praveen Gauravaram. 2017.Blockchain for IoT security and privacy: The case study of a smart home. 2017IEEE International Conference on Pervasive Computing and Communications Work-shops (PerCom Workshops) January (2017), 618–623. https://doi.org/10.1109/PERCOMW.2017.7917634

[11] Carlos Aguayo Gonzalez and Alan Hinton. 2014. Detecting malicious softwareexecution in programmable logic controllers using power fingerprinting. InInternational Conference on Critical Infrastructure Protection. Springer, 15–27.

[12] Grafana Labs. 2018. Grafana. https://grafana.com/[13] Elike Hodo, Xavier Bellekens, Andrew Hamilton, Pierre-Louis Dubouilh, Ephraim

Iorkyase, Christos Tachtatzis, and Robert Atkinson. 2016. Threat analysis ofIoT networks using artificial neural network intrusion detection system. In 2016International Symposium on Networks, Computers and Communications (ISNCC).IEEE, 1–6. https://doi.org/10.1109/isncc.2016.7746067

[14] Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito, and MarkVinkovits. 2013. Denial-of-Service detection in 6LoWPAN based Internetof Things. In 2013 IEEE 9th International Conference on Wireless and MobileComputing, Networking and Communications (WiMob). IEEE, 600–607. https://doi.org/10.1109/wimob.2013.6673419

[15] Sylvain Kubler, Kary Främling, and Andrea Buda. 2015. A standardized approachto deal with firewall and mobility policies in the IoT. Pervasive and MobileComputing 20 (July 2015), 100–114. https://doi.org/10.1016/j.pmcj.2014.09.005

[16] Amey Kulkarni, Youngok Pino, and Tinoosh Mohsenin. 2016. Adaptive real-timeTrojan detection framework through machine learning. In 2016 IEEE InternationalSymposium on Hardware Oriented Security and Trust (HOST). IEEE, 120–123.https://doi.org/10.1109/hst.2016.7495568

[17] S. C. Lee and D. V. Heinbuch. 2001. Training a neural-network based intrusiondetector to recognize novel attacks. IEEE Transactions on Systems, Man, andCybernetics - Part A: Systems and Humans 31, 4 (July 2001), 294–299. https://doi.org/10.1109/3468.935046

[18] Fangyu Li, Yang Shi, Aditya Shinde, Jin Ye, and Wen Zhan Song. 2019. EnhancedCyber-Physical Security in Internet of Things through Energy Auditing. IEEEInternet of Things Journal (2019).

[19] Fangyu Li, Aditya Shinde, Yang Shi, Jin Ye, Xiang-Yang Li, and Wen Zhan Song.2019. System Statistics Learning-Based IoT Security: Feasibility and Suitability.IEEE Internet of Things Journal (2019).

[20] Yihua Liao and Vemuri. 2002. Use of K-Nearest Neighbor classifier for intrusiondetection. Computers & Security 21, 5 (Oct. 2002), 439–448. https://doi.org/10.1016/s0167-4048(02)00514-x

[21] Caiming Liu, Jin Yang, Run Chen, Yan Zhang, and Jinquan Zeng. 2011. Researchon immunity-based intrusion detection technology for the Internet of Things.In 2011 Seventh International Conference on Natural Computation. IEEE, 212–216.https://doi.org/10.1109/icnc.2011.6022060

[22] Ren Liu, Ceeman Vellaithurai, Saugata S. Biswas, Thoshitha T. Gamage, andAnurag K. Srivastava. 2015. Analyzing the Cyber-Physical Impact of CyberEvents on the Power Grid. IEEE Transactions on Smart Grid 6, 5 (Sept. 2015),2444–2453. https://doi.org/10.1109/tsg.2015.2432013

[23] Mark A. Ludwig. 2016. The Giant black book of computer viruses. http://www.worldcat.org/isbn/194811755

[24] Jesus Pacheco and Salim Hariri. 2016. IoT security framework for smart cyber in-frastructures. In Foundations and Applications of Self* Systems, IEEE InternationalWorkshops on. IEEE, 242–247.

[25] Pavan Pongle and Gurunath Chavan. 2015. A survey: Attacks on RPL and6LoWPAN in IoT. In 2015 International Conference on Pervasive Computing (ICPC).IEEE, 1–6. https://doi.org/10.1109/pervasive.2015.7087034

[26] William H. Press and Saul A. Teukolsky. 1990. Savitzky-Golay Smoothing Filters.Computers in Physics 4, 6 (1990), 669+. https://doi.org/10.1063/1.4822961

[27] Ahmad-Reza Sadeghi, Christian Wachsmann, and Michael Waidner. 2015. Secu-rity and privacy challenges in industrial internet of things. In Proceedings of the52nd Annual Design Automation Conference on - DAC ’15 (DAC ’15). ACM Press,New York, NY, USA, 1–6. https://doi.org/10.1145/2744769.2747942

[28] Niki Tsitsiroudi, Panagiotis Sarigiannidis, Eirini Karapistoli, and Anastasios A.Economides. 2016. EyeSim: A mobile application for visual-assisted wormholeattack detection in IoT-enabled WSNs. In 2016 9th IFIP Wireless and Mobile Net-working Conference (WMNC). IEEE, 103–109. https://doi.org/10.1109/wmnc.2016.7543976

[29] Tsuyoshi Ueno, Fuminori Sano, Osamu Saeki, and Kiichiro Tsuji. 2006. Effec-tiveness of an energy-consumption information system on energy savings inresidential houses based on monitored data. Applied Energy 83, 2 (Feb. 2006),166–183. https://doi.org/10.1016/j.apenergy.2005.02.002

[30] Dong Wang, Jiang Ming, Ting Chen, Xiaosong Zhang, and Chao Wang. 2018.Cracking IoT Device User Account via Brute-force Attack to SMS AuthenticationCode. In Proceedings of the First Workshop on Radical and Experiential Security -RESEC ’18. ACM Press, 57–60. https://doi.org/10.1145/3203422.3203426

[31] Hongyu Yang and Ruiwen Tang. 2016. Power Consumption Based AndroidMalware Detection. Journal of Electrical and Computer Engineering 2016 (2016),1–6. https://doi.org/10.1155/2016/6860217

[32] Asma Zahra and Munam A. Shah. 2017. IoT based ransomware growth rateevaluation and detection using command and control blacklisting. In 2017 23rdInternational Conference on Automation and Computing (ICAC). IEEE, 1–6. https://doi.org/10.23919/iconac.2017.8082013

[33] Heng Zhang, Peng Cheng, Ling Shi, and Jiming Chen. 2015. Optimal Denial-of-Service Attack Scheduling With Energy Constraint. IEEE Trans. Automat. Control60, 11 (Nov. 2015), 3023–3028. https://doi.org/10.1109/tac.2015.2409905

[34] Minhui Zou, Chengliang Wang, Fangyu Li, and WenZhan Song. 2018. NetworkPhenotyping for Network Traffic Classification and Anomaly Detection, In 2018IEEE International Symposium on Technologies for Homeland Security (HST).2018 IEEE International Symposium on Technologies for Homeland Security (HST).